Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Pix and VPN Concentrator

WE have a PIx firewall in place with an outside address 63.1.1.2. We also have a 3015 concentrator that is directly connected outside with a public IP address of 63.1.1.3. Network Layout...

Internet--Router--switch--Pix------Switch---INternal

63.1.1.1 | 63.1.1.2

|

|-----VPN 3015 Public INT

63.1.1.3

Can I attached our VPN 3015 to the Pix so I can protect it?

1 REPLY
New Member

Re: Pix and VPN Concentrator

Here is a solution:

Place your VPN concentrator's public interface behind your perimeter router and create a "dirty dmz" - using ACL's to control specific traffic to the concentrator. Then, put the the private interface of the concentrator in your DMZ, off of the PIX. If you are using CBAC on your perimeter router, you can really tighten it up.

This is the way I have my VPN setup. It allows only VPN traffic to the public interface. And, since the private interface terminates in the DMZ, I have 2 ways of controlling what comes out of the VPN tunnel - ACL's pushed from policies on the concentrator and ACL's on the PIX. Probably an overkill, but it's a very secure environment.

biz

100
Views
0
Helpful
1
Replies
CreatePlease to create content